1. Field of the Invention
Embodiments of the present invention generally relate to securing computer systems and, more particularly, to a method and apparatus for identifying invariants to detect software tampering.
2. Description of the Related Art
A computer is a basic necessity for almost every single person in the world. Generally, computers are regularly used for a variety of applications, for example, communication with other computers and/or people, entertainment, occupational productivity, business applications, personal or social applications and the like. Various software packages are installed on the computer and designed to utilize one or more computer resources to enable the performance of such applications. As the usage of computers increases, threats to operations at the computer also increase. Malware is one of the most predominant threats.
Generally, malware (i.e. malicious software code) is configured to surreptitiously disrupt and degrade the stability and performance of the computer. As a result, the computer ceases to operate properly. One of the current techniques used by malware to avoid detection by security software (e.g., SYMANTEC NORTON products) is to bury itself within a memory space (e.g., includes a working set and file system structures) of a legitimate operating system and/or a software application component. Certain software applications, such as security software, utilize complex mechanisms for protection from tampering and subversions. Regardless, many software applications are unable to detect such tampering perpetrated by malware. Due to improvements in the functionality of malware, legitimate operating system and software applications are increasingly vulnerable to malicious attacks (tampering). As a result, ensuring software integrity has become a growing concern.
One of the methods for verifying software integrity of a particular software application is to specify invariants, such as memory invariants and virtual machine invariants, and determine whether any of the specified invariants are present in one or more images (e.g., virtual machine images, memory images and the like) associated with the particular software application. Generally, memory invariants comprise static invariants in which byte sequences in memory do not change with multiple executions of the particular software application or semantic invariants in which relationships between the byte sequences in the memory do not change. Accordingly, virtual machine invariants are byte sequences or relationships between byte sequences in a virtual machine image that do not change. For example, if a first field is associated with a first value, then a second field is associated with a second value. Furthermore, the first value and second value may be semantically consistent even if the first value and second value are not literally consistent. For example, the first field may always be associated with an address of a static invariant regardless of where the static invariant is located in the memory or the image (e.g., virtual machine image).
The presence of the specified invariants denotes a strong likelihood that the particular software application has not been tampered. On the other hand, the absence of one or more of the specified invariants signifies a potential tampering with the particular software application. For example, malicious software code may hide in an area of memory associated with a particular invariant. Hence, a subsequent image does not include the particular invariant because the malicious software code resides in the area of memory previously occupied by the particular invariant. As such, the determination of an absence of the particular invariant from the subsequent image indicates an attack on the particular software application by the malicious software code.
Unfortunately, the specification of the invariants used for the prevalent software integrity verification method described above is limited to a static, manual analysis of the images. In other words, such a method requires a human analyst to produce a set of invariants associated with a software application for monitoring a system. Moreover, the set of invariants is produced by manually analyzing the images and the software documentation. Using the human analyst to perform such a manual analysis is time consuming, costly and inefficient. Accordingly, such a method does not apply machine learning techniques to the images to determine the set of invariants.
Accordingly, there is a need in the art for a method and an apparatus for identifying reliable invariants to detect software tampering where the reliable invariants were determined through a dynamic analysis of images using machine learning techniques.